Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I wanted to start a thread about the use of the root account. Reason being is that I had some questions that I wanted to get some feedback on about the proper use of the root account.
One thing I'm currently in the habit of is using the root account for a lot of the work I do. I am doing mostly, if not all, admin work on all of our servers. I understand that root is a very sensitive account. But, what would you recommend as guidelines for use of the root account?
I mean, at this time, we currently have only one office (soon to change though) with all of our servers internal. Even though everything is internal, I would still like to find out some proper usage/guidelines, thoughts etc to make sure im not abusing the root account. (meaning, is it bad to consistenly use the root account for daily admin duties.)
I'm looking forward to hearing some responses and recommendations.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
My first recommendation would be to install and configure sudo. That lets you execute single commands with root privilages, without actually logging in as that account. Make sure you only grant the sudo privilages that you will actually need, not ALL ALL:ALL. This is a very handy tool if you have to grant an admin very limited access to change a few things, but you don't want them to have full control over the box.
Whether delegating tasks tru sudo works or not, make sure you deny remote access to the account, fixate file attributes (chattr), limit the time spent and limit the "freedom" of movement during interactive logins, like exporting sane environment variables, checking $TMP/dir/file ownage, minimize using SXid tools, tools shared with "human" users or outside root's trusted $PATH and not using recreational utilities or games.
For the rest it's IMO just using common sense, like for instance you don't need root privileges to build (rpm) packages, and plain vigilance like enforcing regular audits (integrity, system, network), log(in) checks etc etc.